In Wake of Colonial Pipeline Attack, Ransomware as Unrestrained as Ever, Experts Say
The White House says it has put Russia on notice over the ransomware attack against meat processing giant JBS. Experts say that despite the chaos caused by the Colonial Pipeline hit and other recent attacks, the pace of ransomware operations hasn’t slowed.
The FBI is probing the attack on JBS, with the U.S. Cybersecurity and Infrastructure Security Agency offering technical assistance to the company, which is based in Sao Paulo but has offices in the United States.
Speaking to reporters Tuesday aboard Air Force One, White House Press Secretary Karine Jean-Pierre said JBS believes the ransomware attack was launched from Russia, which has led the Biden administration to deliver a stern warning to Moscow.
“The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals,” Jean-Pierre told reporters, according to a transcript of her remarks. “The FBI is investigating the incident, and CISA is coordinating with the FBI to offer technical support to the company in recovering from the ransomware attack.”
JBS: Resuming Production
JBS says it discovered the “cybersecurity attack” on Sunday. The company has not described which gang might have targeted it or if it has demanded a ransom. But security firms have noted that no ransomware operation has claimed credit for the attack via a data leak site, where gangs often attempt to name, shame and shake down victims.
The meat processor says the attack impacted servers in Canada, North America and Australia, and operations were halted in those geographies on Monday. But the company says it continues to make steady progress with its recovery.
“Our systems are coming back online, and we are not sparing any resources to fight this threat,” says Andre Nogueira, CEO of JBS USA. “We have cybersecurity plans in place to address these types of issues, and we are successfully executing those plans.”
JBS says operations in Canada are fully back online, and that the “vast majority” of affected beef, pork, poultry and prepared food plants should resume operations by the end of Wednesday, including in the U.S. and Australia.
The White House says the U.S. Department of Agriculture is reaching out to other meat suppliers to ensure they’re aware of the JBS incident and taking steps to defend themselves against similar attacks. Agriculture operations and food processing facilities are designated by CISA as being critical infrastructure. But food plants – similar to manufacturing plants – have often proven to be soft targets for ransomware distributors, says Allan Liska, who is part of cybersecurity firm Recorded Future’s computer security incident response team.
“In general, food processing has been easy pickings,” Liska says.
Pace of Ransomware Attacks Continues
The attack against JBS follows the May 7 ransomware attack against of Colonial Pipeline Co., which triggered fuel-buying panic along the East Coast of the U.S., and highlighted vulnerabilities in the country’s critical infrastructure (see Colonial Pipeline Attack Leads to Calls for Cyber Regulations).
With officials signaling a ransomware crackdown, two cybercrime forums – Raid and XSS – claimed they would no longer allow ransomware gangs to advertise on their sites, including recruiting affiliates. But experts say any such bans, if indeed they are real, appear to be only loosely enforced.
Many ransomware operations today are run using a ransomware-as-a-service model, in which operators develop crypto-locking malware, a payment portal for victims, and dedicated data-leaking sites. Operators then vet and recruit affiliates, who infect victims with the ransomware, oftentimes after first stealing data from the victims that they can leak to pressure victims into paying.
Every time a victim pays a ransom, the operator and affiliate share in the profits.
The RaaS operation responsible for the hit on Colonial Pipeline was DarkSide. In the immediate aftermath of the attack, DarkSide claimed it would be more closely monitoring the types of organizations its affiliates target. Subsequently, however, the gang said it would cease affiliate operations altogether. Given the heat generated by the Colonial Pipeline hit, some experts expect the operators to rebrand their efforts under a different name (see: Ransomware Gangs ‘Playing Games’ With Victims and Public).
Despite public outrage over the increase in ransomware attacks targeting U.S. public infrastructure, attackers don’t seem deterred. In recent weeks. “There really hasn’t been a slow down at all in ransomware,” Recorded Future’s Liska says.
Indeed, at least 16 victim organizations have seen their private data get dumped by ransomware operators since the Colonial Pipeline incident, he says.
Leaks Target CD Projekt Red
On Tuesday, for example, attackers publicly posted source code belonging to Polish game development firm CD Projekt Red. The company first disclosed on Feb. 9 that it had been hit by ransomware. Its attacker claimed to have first stolen the source code for the games Cyberpunk 2077, Witcher 3 and Gwent.
CD Projekt Red said in February that “we will not give in to the demands nor negotiate with the actor.” Even four months later, however, the company is still being harassed by its attackers.
Important Update pic.twitter.com/PCEuhAJosR
— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
In other words, resistance to paying by at least some victims doesn’t appear to have deterred ransomware affiliates. “It’s very easy for affiliates to jump from one ransomware to another,” Liska says. “We’ve kind of seen the hole filled by DarkSide’s absence with an uptick in attacks from Avaddon and Conti ransomware and other second-tier RaaS.”
While the Colonial Pipeline attack may have garnered a lot of public attention, none of that has served as a disincentive for ransomware-wielding gangs to cease operations, says Brett Callow, a threat analyst with the security firm Emsisoft. “The only thing it may have changed is governments’ response,” he says.
The U.S. government has been moving to more aggressively combat ransomware. In April, the Justice Department launched the Ransomware and Digital Extortion Task Force, which aims to disrupt ransomware-wielding crime syndicates.
Meanwhile, the Institute for Security and Technology has coordinated a new Ransomware Task Force, which has outlined strategies for fighting ransomware. Recommendations include pressuring countries where ransomware gangs operate, improving intelligence efforts, mandating that victims report payments and consider alternatives before paying and analyzing cryptocurrency payment channels for choke points (see Fighting Ransomware: A Call for Cryptocurrency Regulation).
The U.S. has previously tested using sanctions to disrupt gangs. In December 2019, the Treasury Department added the crime gang called Evil Corp. to its list of sanctioned entities, noting that it was one of the world’s most prolific cybercriminal organizations.
Arguably, however, these are long-term, as-yet-unproven strategies for potentially disrupting a threat that still poses an immediate, existential threat to numerous organizations.
Executive Editor Mathew Schwartz contributed to this report.